TDL3 Rootkit Presentation

TDL3 Rootkit
A Sans NewsBite Analysis by
Marshall Washburn
Topic: TDL3 Rootkit variant
• SANS NewsBites - Volume: XII, Issue: 70
(August 26, 27 & 30, 2010)
• TDL3 Rootkit, version 3.273
• Combination of MBR rootkit, Rustock.C and
old Tdss variants.
• Stealthiest in the world.
• Wikipedia – “A rootkit is software that enables
continued privileged access to a computer,
while actively hiding its presence from
administrators by subverting standard
operating system functionality or other
• High risk, 1-in-5 Windows machines.
• “Root” and “kit”
• – “A rootkit allows
someone, either legitimate or malicious, to
maintain command and control over a
computer system, without the computer
system user knowing about it”
• Typically 32-bit problems
Rootkit are not really viruses
Machine independent
Remote access
Anti-virus level access
• Digital Signature check for rogue drivers
• “PatchGuard” prevents some changes to
Windows kernel.
• Vista and Win7 do not allow Admin
TDL3 Rootkit
Also known as Alureon rootkit
More sophisticated
Version 3.273
Targets 64-bit machines that were previously
considered safer
• Spread through websites and exploit kits
TDL3 Rootkit
• Gains control during the boot sequence
• Alters Master Boot Record. This gets around
the 1st two preventions.
• Enacts a restart, which loads the altered MBR
and catches process signals.
• Encrypted with ROR loop (rotate right).
TDL3 Rootkit Details
• Kernel code appears as raw bytes, passes
• TDL3 encodes and decodes files on the fly, so it
can pass as being a piece of the kernel code.
• At startup, hunts for driver object.
• Overwrites 824 bytes, avoiding file size check
• Fake driver object, captures disk I/O, hunts for
• Infection
TDL3 Rootkit
• Has a watchdog thread to prevent any change to
the service registry key
• No one can get a handle to infected driver file(red
• In Feb. it caused BSOD with MS10-015 update
• RVA(Relative Virutal Address) offsets of Windows
kernel APIs modified and use them to find
functions. On the update, the values were
changed. After restart, the rootkit called an
invalid address
TDL3 fights back
• While this caused a BSOD, it did bring notice
to a potential problem
• TDL3 authors updated within hours that
worked with the update.
• Process was called tdlcmd.dll or z00clicker.dll
TDL3 Rootkit
First significant 64-bit rootkit
Malware begets more malware
Anti-virus lag
Security chess match
Cited Sites

similar documents